TryHackMe: Advent of Cyber 2 [Day 2] The Elf Strikes Back!
Room: Advent of Cyber 2
After your heroic deeds regaining control of the control centre yesterday, Elf McSkidy has decided to give you an important job to do.
“We know we’ve been hacked, so we need a way to protect ourselves! The dev team have set up a website for the elves to upload pictures of any suspicious people hanging around the factory, but we need to make sure it’s secure before we add it to the public network. Please perform a security audit on the new server and make sure it’s unhackable!”
You listen to the briefing and accept the task, pressing the deploy button to start the server as you do so.
At the bottom of the dossier is a sticky note containing the following message:
For Elf McEager:
You have been assigned an ID number for your audit of the system:
ODIzODI5MTNiYmYw. Use this to gain access to the upload section of the site.
Question #1 What string of text needs added to the URL to get access to the upload page?
I started by heading to the webpage:
I then added a GET parameter to reflect the ID that I was given:
The answer for Question #1 is: ?id=ODIzODI5MTNiYmYw
Question #2 What type of file is accepted by the site?
The website says, “If you see any suspicious people near the factory, take a picture and upload it here!” So let’s assume you can upload .jpg files.
I made a test file to see if this was true:
You can also check the source code here and see that it accepts three types of image files:
Question #3 In which directory are the uploaded files stored?
If you try a couple of the usual suspects, you can see that the files all land in the /uploads/ directory:
Question #4 What is the flag in /var/www/flag.txt?
We can use the uploads directory to upload a reverse shell. If you are using the THM Attack Box, there is one located here:
If not, the instructions for the challenge will point you towards one, or you can use this one HERE.
Make sure you go through and edit it to reflect your Attack Box IP and the port you want to receive the reverse shell:
After that I changed the name of the file to trick the upload form into thinking it was a .jpg:
Then I set up a netcat listener to receive the connection on that same port:
Now upload your file, and make sure to select, “All File Types” from the drop down menu so you can see the .php file.
Now head back to that uploads page, refresh, and click on your reverse shell:
Back at your listener, you should have received a connection:
From here you can grab the flag!
Happy Hacking! ❤